On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand@xxxxxxxxx wrote: > > On 28/09/10 08:24, imsand@xxxxxxxxx wrote: > >> Hello > >> > >> I get the following error when I try to log in through ssh (even if > >> selinux is in permissive mode!!!): > >> > >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted > >> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2 > >> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400 > >> audit(1285657292.298:286): avc: denied { audit_control } for > >> pid=12614 > >> comm="sshd" capability=30 scontext=system_u:system_r:sysadm_t > >> tcontext=system_u:system_r:sysadm_t tclass=capability > >> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error: > >> ssh_selinux_getctxbyname: Failed to get default SELinux security context > >> for mat > >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: > >> ssh_selinux_getctxbyname: Failed to get default SELinux security context > >> for mat > >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error: > >> ssh_selinux_setup_pty: > >> security_compute_relabel: Invalid argument > >> > >> I already went through this post: > >> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I > >> can't figure out the exact problem. > >> > >> Here is what I've done so far: > >> - Downloaded the latest reference policy from tresys: > >> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2 > >> - Compiled and installed it on my sles 11.1 > >> - set selinux into permissive mode: (so far so good.. :)) > >> sestatus > >> SELinux status: enabled > >> SELinuxfs mount: /selinux > >> Current mode: permissive > >> Mode from config file: permissive > >> Policy version: 24 > >> Policy from config file: refpolicy > >> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user > >> -a > >> mat_u > >> - Add linux user " mat": useradd mat > >> - Set password for "mat": passwd mat > >> - User mapping: semanage login -s mat_u -a mat > >> - add security context for "mat_u" by copying staff_u's context (don't > >> know if that's needed??!): cp > >> /etc/selinux/refpolicy/contexts/user/staff_u > >> /etc/selinux/refpolicy/contexts/user/mat_u > >> - set boolean for sysadm ssh login to true (don't know if thats > >> needed?!): > >> setsebool ssh_sysadm_login on > >> > >> In other posts I've read something about sepermit.conf and > >> namespace.conf > >> but these files don't exist on my system. What about these files? Do I > >> need them? > >> What's wrong on my system? > >> Why it's not possible to login even if selinux is in permissive mode? > >> Any suggestions? > > > > I'd start by trying to figure out why sshd isn't running in sshd_t (it > > seems to be running in sysadm_t). > > > > Paul. > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > Yes, sshd is running in sysadm_t: > > # ps axZ | grep sshd > system_u:system_r:sysadm_t 3632 ? Ss 0:00 /usr/sbin/sshd > -o PidFile=/var/run/sshd.init.pi > > # ls -Z /usr/sbin/sshd > system_u:object_r:sshd_exec_t /usr/sbin/sshd > > Don't know why it's not sshd_t. I didn't modified something. It's a > standard installation of sles11 with the default reference policy from > tresys. > > Maybe this code snippet from policy/modules/services/ssh.te is responsible > for that: > ## <desc> > ## <p> > ## Allow ssh logins as sysadm_r:sysadm_t > ## </p> > ## </desc> > gen_tunable(ssh_sysadm_login, true) > > Any ideas? Do you have boolean init_upstart set to on? if not try setting it to on. I do not believe ssh_sysadm_login boolean works currently but i may be mistaken. > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpxtIOIlcAjg.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux